feat(nixos): key-only sshd hardening on T400 and Mac Pro

New system/modules/ssh.nix disables password and keyboard-interactive auth and root login, and installs the authorized key for the primary user. Imported by the two hosts that run sshd; each still enables the service and opens port 22 in its own config. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 16:22:12 +01:00
parent bdfc27cf93
commit 93571386bd
2 changed files with 21 additions and 0 deletions
@@ -238,6 +238,7 @@
            modules = [
              ./system/machine/T400/configuration.nix
              ./system/modules/laptop.nix
+              ./system/modules/ssh.nix
              # No t400-specific profile exists; compose the generic ThinkPad +
              # laptop/SSD/Intel building blocks (tp_smapi/acpi_call for battery
              # thresholds, SSD + microcode defaults).
@@ -261,6 +262,7 @@
            modules = [
              ./system/machine/MacPro31/configuration.nix
              ./system/modules/desktop.nix
+              ./system/modules/ssh.nix
              inputs.nixos-hardware.nixosModules.common-pc-ssd
              inputs.nixos-hardware.nixosModules.common-cpu-intel
              ./lyrathorpe/swaywm.nix